Firefox 31 Released; Includes New ECMAScript 6 features

Mozilla has released Firefox 31, including the implentation of new ECMAScript 6 features, malware detection, and new features for game developers.

ECMAScript 6 is the next version of the ECMAScript standard, code-named "Harmony" or "ES.next." In the article Firefox 31 for Developers, the Mozilla team outlines the JavaScript updates for the updated ECMAScript 6 features, including:

New Array built-in: Array.prototype.fill() method fills all the elements of an array from a start index to an end index with a static value.

New Math function: Math.clz32() returns the number of leading zero bits in the 32-bit binary representation of a number

New String built-in: String.prototype.normalize() is available in Firefox Desktop, and returns the Unicode Normalization Form of a given string (if the value isn't a string, it will be converted to one first).

New Object method Object.setPrototypeOf() sets the prototype (i.e., the internal [[Prototype]] property ) of a specified object to another object or null.

A full list of the features already supported in Firefox can be found here.

Aside from the JavaScript updates, the new Firefox 31 release also features developer tools including JavaScript warnings on by default in the Web Console, the "copy as cURL" command in Network Monitor, that "copies the network request to the clipboard as a cURL command, so you can execute it from a command line" and the "Option to make Network Monitor logs persistent."

By default, the Network Monitor shows a list of all the network requests made in the course of loading the page. Each request is displayed in its own row.

The Network Monitor is cleared each time you navigate to a new page or reload the current page. From Firefox 31 onwards you can override this behavior by checking "Enable persistent logs" in the Settings.

Firefox 31 also brings with it new malware detection built in. A high level overview of the feature is given on MozillaWiki:

The user-agent performs local lookups whenever a binary file is downloaded. If a local result is not found, the user-agent may perform a remote-lookup on Windows only.

When a binary file is downloaded, the user-agent extracts several pieces of metadata about the file, including:

The target URL from which the file was downloaded, its referrer URL and any URLs in the redirect chain

The SHA-256 hash of the contents of the file

Any certificate verification information obtained through the Windows Authenticode APIs

The length of the file in bytes

The suggested filename for the download

Using this metadata, the user-agent performs a local lookups against a blocklist. If the download is supported, it checks an allowlist. If the binary is signed, then the code signing information is checked against the allowlist.

If any blocklist matches are found, the user-agent must not save the file to disk. If any allowlist matches are found, the user-agent may treat the binary as trusted and skip the remote lookup. If no matches are found and the binary was unsigned, the user-agent may send a remote lookup to the application reputation service.

The malware detection feature of Firefox 31 has not gone unremarked by the developer community. On the Slashdot article Firefox 31 Released, an anonymous user commented "the 'malware blocking for file downloads' is a severe invasion of privacy. It works by sending the URL of nearly every downloaded file to Google."

On Hacker News, similar sentiment was seen in the discussion Firefox 31.

I'm worried about the privacy implications of this. Especially given that the feature is hidden, and the only two ways to turn it off involve going into about:config, which most people don't even know exists. I wouldn't even know it was doing this if I hadn't read the changelog.

It should be noted that Sid Stamm, senior engineering manager of security and privacy at Mozilla, published an article entitled Improving Malware Detection in Firefox about the feature on July 23, and instructions for turning off malware detection are detailed on MozillaWiki here.

Stamm told InfoQ:

Any time Safe Browsing sends data back to Google, such as information about a suspected phishing page or malicious file, the information is only used to flag malicious activity and is not used anywhere else at Google. After two weeks, any associated information, such as your IP address, is stripped, and only the URL itself is retained.

Away from privacy concerns, the Firefox 31 release brings what the Mozilla Hack team describe in the article Resources for HTML5 Game Developers as "new features that help HTML5 game developers to code and debug sophisticated games."

Among the many improvements to Firefox Developer Tools are updates to the JavaScript Debugger, Style Editor, Page Inspector, Scratchpad, Profiler, Network Monitor and Web Console.

Other notable improvements include the inclusion of a Canvas Debugger to the browser. The Mozilla Hack team said:

The Canvas Debugger allows you to trace through all canvas context calls that are used to generate a frame. Calls are color coded for specific calls for things like drawing elements or using a specific shader program.

The debugger is not only useful when developing a WebGL based game but can also be used when debugging a Canvas 2D based game.

There are many ways that InfoQ readers can contribute to Firefox, and Mozilla welcome newcomers who wish to be part of the project. A full list of options is available on the Mozilla Developer Network where there is also published a number of How To guides.